Introduction
This article explores the three primaries types of risk calculated in IriusRisk and explores how current and projected risk is calculated.
Risk types  Inherent, Current, and Projected
Each threat in IriusRisk has three different risk values all of them with a maximum value of 100 and a minimum value of 0.
Inherent risk: This is the "starter" risk the one that represents the risk natural to affected assets and it's exposure. Inherent risk represents the complete risk with zero mitigations being applied to this given scenario.
Formula 1  Inherent Risk = impact x likelihood (NOTE: the formula for inherent risk is independent of currently in place mitigations or planned mitigations. It is based solely on the threats, assets, and weaknesses associated within).
Current risk: This is the current risk value which is equal to inherent risk minus currently implemented mitigations or countermeasures.
Formula 2  Current Risk = Inherent Risk  implemented mitigation
Projected risk: This is our goal risk the one we will have once we have already implemented all required countermeasures. It's calculated by subtracting from the inherent risk the risk reduction produced for all implemented and required countermeasures. It's exactly like calculate the current risk assuming that all required countermeasures are already implemented.
Formula 3  Projected Risk = Current risk  planned mitigations (countermeasures in a required status)
The qualitative output of these three variables can be seen within the threats interface within IriusRisk.
Quantitative values are translated into qualitative outputs of very low (0  20), low (>20  40), medium (>40  60) , high (>60  80), and critical (>80).
Calculating Current Risk
Control risk reduction
Risk reduction is a value between 0 and 100 and represents the decrement in the threat's risk produced by each of its countermeasures. In the following flow diagram, we can see how is calculated:
Mitigation is a percentage value that represents the share of the risk reduced by the implementation of a control
Risk increment
The risk increment is an integer value between 0 and 100 that represents the increase on the threat's risk produced by failing weakness tests. Among all weakness with failed tests we will select the one with a higher impact rating and we will multiply that of a configurable factor (by default 0) to get the risk increment value.
Weakness  Test result  Impact rating 
Weakness1  PASSED  100 
Weakness2  FAILED  50 
Weakness3  FAILED  80 
Since the default factor for risk increment is 0 the result would be 0 * 80 = 0. But we need to be aware that customers might configure a different value for this factor.
By default, a weakness is created with an impact rating of 100.
Current risk calculation use case
Now we are going to do the maths in the real case describes in the section "Inherent risk calculation use case" and the inherent risk calculated in it.
As we already know the inherent risk is 71 and we have 3 controls of the same weakness :
→Weakness 1 (impact: 80)
→Control 1 (mitigation: 80, state: implemented, test: passed)
→Control 2 (mitigation: 20, state: required, test: not tested)
→Control 3 (mitigation: 30, state: recommended, test: not tested)
Calculate risk reduction for each countermeasure
We have to point out that in our code the real formula used for calculating the risk reduction value is:
factor * mitigation / 100 *inherentRisk
We have two different configurable values for factor:
 MITIGATION_FACTOR_CONTROL_TEST_PASSED: The one used when the countermeasure's test is passed. By default 1.

MITIGATION_FACTOR_CONTROL_IMPLEMENTED: The one used when the countermeasure is in state implemented and its test is not failed. By default 1.
Since by default the value for factor in all cases is 1 it doesn't make a difference in this calculation, but we must be aware that our costumers might have configured different values.
Following the decision diagram for control's risk calculation and using the default factor values we can get the following risk reductions:
 Control1: mitigation(80) * factor(1) / 100 * inherentRisk(71) = 56.8 → 57
 Control2: 0
 Control3: 0
Being the sum of all of them 57 + 0 + 0 = 57
Calculate risk increment
Since we don't have any weakness with a failed test result, the value or risk increment is 0. As a matter of fact, even if we had a weakness of such type the configurable factor for risk increment is 0 by default so it would be 0 anyway. The only case when this value has an impact on the current risk calculation is when the customer has set a different value for the configurable factor.
Putting all together
Since we already have the values for inherent risk, the sum of all control's risk reduction values and the risk increment value we can calculate the current risk like this:
inherentRisk(71)  controlsRiskReduction(57) + riskIncrement(0) = 14
Projected risk = Inherent risk  sum(all controls risk reduction)
The projected risk is our goal risk the one we will achieve once we get to correctly implement all required countermeasures. Therefore, the way we calculate the projected risk is quite similar to the way we calculate the current risk, the only difference is that in this calculation we are going to assume that all required countermeasures are correctly implemented.
Inherent risk
Represents the natural risk of a threat and depends on the probability and the impact of the threat. The correct way to calculate inherent risk is explained in the previous section.
Control risk reduction
Risk reduction is a value between 0 and 100 and represents the decrement in the threat's risk produced by each of its countermeasures.
In this case, we are going to do exactly the same that in current risk but assuming the following statements:
 All required countermeasures are implemented
 All weakness tests are passed
 All tests for required and implemented countermeasures are passed
Therefore the risk reduction is mitigation / 100 * inherentRisk for all required and implemented countermeasures and 0 for all other cases.
Projected risk calculation use case
Now we are going to do the maths with the real case described in the section "Inherent risk calculation use case" and the inherent risk calculated in it.
As we already know the inherent risk is 71 and we have 3 controls of the same weakness :
→Weakness 1 (impact: 80)
→Control 1 (mitigation: 80, state: implemented, test: passed)
→Control 2 (mitigation: 20, state: required, test: not tested)
→Control 3 (mitigation: 30, state: recommended, test: not tested)
Calculate risk reduction for each countermeasure
We have to point out that in our code the real formula used for calculating the risk reduction value is:
factor * mitigation / 100 * inherentRisk
We have two different configurable values for factor:
 MITIGATION_FACTOR_CONTROL_TEST_PASSED: The one used when the countermeasure's test is passed. By default 1.

MITIGATION_FACTOR_CONTROL_IMPLEMENTED: The one used when the countermeasure is in state implemented and its test is not failed. By default 1.
Since by default the value for factor in all cases is 1 it doesn't make a difference in this calculation, but we must be aware that our costumers might have configured different values.
The projected risk reduction for each countermeasure would be:
 Control1: mitigation(80) * factor(1) / 100 * inherentRisk(71) = 56,8 → 57
 Control2: mitigation(20) * factor(1) / 100 * inherentRisk(71) = 14,2 → 15
 Control3: 0
Being the sum of all of them 57 + 15 + 0 = 72
Putting all together
Since we already have the values for inherent risk, the sum of all control's risk reduction values and the risk increment value we can calculate the current risk like this:
inherentRisk(71)  controlsRiskReduction(72) + riskIncrement(0) = 1 → 0
Planned mitigation percentage
This percentage is shown in the threats table an represents the progress within the threat's mitigation. It's calculated by adding all the mitigation values from all the required threads which tests results are not passed
Calculate planned mitigation percentage use case
Now we are going to do the maths with the real case described in the section "Inherent risk calculation use case".
As we already know we have 3 controls:
→Control 1 (mitigation: 80, state: implemented, test: passed)
→Control 2 (mitigation: 20, state: required, test: not tested)
→Control 3 (mitigation: 30, state: recommended, test: not tested)
The only required and not passed control is Control 2 so:
sumOfRequredNotPassedMitigations(20) = 20
Comments
0 comments
Article is closed for comments.